By Brandes Elitch
The EMV (Europay, Mastercard and Visa) data transmission protocol has received significant press over the last year, but the fight against payment card fraud is just beginning. An October 2016 article in The Nilson Report projects that card fraud will grow 42 percent in the next three years, and worldwide, fraud losses will approach $31 billion.
Problems include the delay of gas station EMV adoption, card skimming, data breaches, systemic problems with Card Verification Value numbers for online purchases, and "fallback fraud" occurring when an EMV transaction is processed via a mag stripe.
Members of the Electronic Transactions Association have been busy coming up with new ways to control fraud and manage the enormous growth in cards. The American Bankers Association reported that new credit card accounts are up 8.8 percent year over year, and the total number of open card accounts is now 357 million.
This article discusses several developments you will be hearing more about later this year.
The bank identification number (BIN) is the first six characters of a card number, also called a primary account number (PAN). The card brands have seen increased demand for cards due to tokenization, mobile wallets, replacement account numbers and prepaid cards. Each card brand has devised a proprietary solution. Mastercard will supplement its existing range of account numbers (that now begin with the numeral 5), with a new range that begins with the numeral 2, to effectively double the number of cards they can support.
This requires a software update for terminals or changes to a BIN range configuration file or table. Some merchants will require new hardware if their terminals are too old to handle the software updates. Online payments sometimes use an auto select feature based on the BIN so that the customer doesn't have to enter the card brand; they will need an update, as well. Mastercard set a deadline of June 30, 2017, for merchants to be able to accept what it has dubbed "2-series" cards, and has designed 2-series test cards to validate terminals for compliance.
To spur compliance, Mastercard stated that an acquirer may be subject to monthly fines for noncompliance, which could amount to $100 per event for a small merchant. The new cards will be issued this summer.
Payment processors have typically centered their Payment Card Industry (PCI) Data Security Standard (DSS) compliance strategy on using PAN truncation to render cardholder data unreadable. PAN truncation keeps the first six and the last four digits, and destroys six digits, so an attacker has a 1 in 100,000 chance of guessing the original PAN. The proposal for an eight-digit BIN will change these rules.
The possibility of an eight-digit BIN and a 16-digit PAN could impact the software on every terminal, merchant website, processor and card processing network.
The prospect of eight-digit BINs raises significant issues for back-end systems, analytics, databases and reporting systems, and the cost of changing payment terminals would be meaningful. The International Organization for Standardization (ISO) has a working group studying the expansion of BIN numbers, and has suggested a move to eight-digit BINs.
Currently, the six-digit BIN has two open slots (positions seven and eight) for customer relationship management data about cardholders and their transactions. This would be lost, which would engender a major reengineering that would create system-wide implementation challenges.
The real problem is the way that card numbers are allocated and the fact that the existing BIN ranges are not being fully utilized. Currently, there are no immediate plans to adopt eight-digit BINs.
When a merchant accepts a transaction that has been key-entered, swiped, or that is part of an ecommerce/card-not-present sale and then converts it to a token, the token needs to be tied to the original transaction that the consumer authorized. Payment Account Reference (PAR) allows the linkage of the cardholder's token with the corresponding PAN without needing the underlying card number.
When a token is created, a PAR value is also created and must be supplied with all future authorization requests. Last year, EMVCo added a new field for PAR, which must be used by acquirers, issuers and merchants. This means potential changes to terminals, gateways, processing systems, and potentially enterprise resource planning and other integrated solutions.
It is projected that a chargeback could be initiated on a transaction without a PAR value because proof of customer authorization is lacking. Merchants whose payment processors cannot support PAR are at risk of chargeback fees, loss of sale proceeds and ending up in an excessive chargeback category – pretty scary.
The Qualified Integrator and Reseller (QIR) certification is a Visa mandate for small businesses to use only vetted companies or individuals to support PCI DSS compliance. It calls for secure installation and maintenance of validated payment applications that process, store or transmit sensitive cardholder data. The professionals who install, support and maintain payment applications should be certified so as to not introduce vulnerability in the cardholder data environment. This mandate went into effect on Jan. 31, 2017, and as of then, all Level 4 merchants must use solutions providers with this certification.
The issue here involves remote access solutions (RAS), such as Microsoft Remote Access Desktop, which are typically used to provide remote support for small merchants. If an RAS is not securely installed, it creates an access road for a cybercriminal or fraudster, who can then log in, install malware, record keystrokes, capture audio and video from the device, and steal payment card track data.
Some independent software vendors and POS resellers are still not prepared to meet the QIR requirement. The key here is that the installer must use a validated application, compliant with the Payment Application DSS. A directory of qualified providers is available on the PCI Security Standards Council's website, www.pcisecuritystandards.org.
In addition, changes are coming in the world of automated clearing house (ACH) payments. ISOs typically focus on card-related payments, and merchants typically look to their banks for ACH processing. I have an Accredited ACH Professional certificate, and I have a pretty hard time interpreting NACHA ‒ The Electronic Payments Association's rules. Recently, I was trying to figure out whether a transaction over the Internet should have an Internet-Initiated/Mobile Entry (WEB) or Corporate Credit or Debit (CCD) standard entry class code. I had to call WesPay, our local experts, for a ruling, because neither I nor our attorney could figure it out.
I suggest that, for the time being, ISOs, merchant level salespeople and other merchant service providers focus on the changes in the card processing world and let your merchants leave the ACH processing to their banks or to qualified third-party processors that specialize in the ACH system. As you can see, it is almost a full-time job just keeping up with all the changes mandated by the card brands.
Brandes Elitch, Director of Partner Acquisition for CrossCheck Inc., has been a cash management practitioner for several Fortune 500 companies, sold cash management services for major banks and served as a consultant to bankcard acquirers. A Certified Cash Manager and Accredited ACH Professional, Brandes has a Master's in Business Administration from New York University and a Juris Doctor from Santa Clara University. He can be reached at firstname.lastname@example.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next